International Association
for Cryptologic Research

Dziembowski, Pietrzak, and Wichs (ICS--2010) introduced the notion of non-malleable codes as a relaxation of the error-correcting codes. Intuitively, a non-malleable code ensures that the tampered codeword encodes the original message or a message that is entirely independent of the original message.

One of the fundamental research directions in the field of non-malleable code construction considers encoding the message into $k$ separates states, where $k\geq 2$, such that each state can be tampered separately by an arbitrary function. The goal of this research effort is to reduce the number of states $k$, while achieving high encoding rate, i.e., the ratio of the message length to the cumulative size of all the $k$ encoded states. The current state-of-the-art provides non-malleable code constructions for 2-states at $1/\log\ell$ rate (Li, STOC--2017), where $\ell$ is the length of the encoded message, and, very recently, for 4-states at $\approx 1/3$ rate (Kanukurthi, Obbattu, and Sekar, TCC--2017). However, there are no known non-malleable code constructions for $k=2$ or $k=3$ with a constant rate. This work contributes to this research endeavor by providing a rate $\approx 1/3$ non-malleable code for $k=3$.

Reducing the number of states $k$ in a non-malleable code is notoriously hard. However, our work succeeds in reducing the number of states required by the construction of Kanukurthi et al. by leveraging a unique characteristic of the non-malleable code for 2-states provided by Aggarwal, Dodis, and Lovett (STOC, 2014).

Masking schemes are a prominent countermeasure to defeat power analysis attacks. One of their core ingredient is the encoding function. Due to its simplicity and comparably low complexity overheads,many masking schemes are based on a Boolean encoding. Yet, several recent works have proposed masking schemes that are based on alternative encoding functions. One such example is the inner product masking scheme that has been brought towards practice by recent research. In this work, we improve the practicality of the inner product masking scheme on multiple frontiers. On the conceptual level, we propose new algorithms that are significantly more efficient and have reduced randomness requirements, but remain secure in the t-probing model of Ishai, Sahai and Wagner (CRYPTO’03). On the practical level, we provide new implementation results. By exploiting several engineering tricks and combining them with our more efficient algorithms, we are able to reduce execution time by nearly 60% compared to earlier works. We complete our study by providing novel insights into the strength of the inner product masking using both the information theoretic evaluation framework of Standaert,Malkin and Yung (EUROCRYPT’09) and experimental analyses with an ARM microcontroller.

Thumbnail preserving encryption (TPE) was suggested by Wright et al. as a way to balance privacy and usability for online image sharing. The idea is to encrypt a plaintext image into a ciphertext image that has roughly the same thumbnail as well as retaining the original image format. At the same time, TPE allows users to take advantage of much of the functionality of online photo management tools, while still providing some level of privacy against the service provider.

In this work we present three new approximate TPE encryption schemes. In our schemes, ciphertexts and plaintexts have perceptually similar, but not identical, thumbnails. Our constructions are the first TPE schemes designed to work well with JPEG compression. In addition, we show that they also have provable security guarantees that characterize precisely what information about the plaintext is leaked by the ciphertext image.

We empirically evaluate our schemes according to the similarity of plaintext and ciphertext thumbnails, increase in file size under JPEG compression, preservation of perceptual image hashes, among other aspects. We also show how approximate TPE can be an effective tool to thwart inference attacks by machine-learning image classifiers, which have shown to be effective against other image obfuscation techniques.

The research topics include but not limited to: symmetric-key cryptography, cryptanalysis, side-channels attacks and counter-measures. Existing research experience on cryptography is preferred. The research scholarship support is for 4 years covering full tuition fees and living allowances. More information about admission to NTU can be found here: http://admissions.ntu.edu.sg/graduate/Pages/home.aspx

Interested candidates are invited to send your CV and reference letters to Asst Prof. Jian Guo.

Closing date for applications: 31 December 2017

Contact: guojian (at) ntu.edu.sg

More information: http://catf.crypto.sg

Several research positions for PhD candidates are open at the new Department of Hardware-oriented Computer Science within the Institute for Computer Engineering and Computer Architecture (ITI) of the University of Stuttgart. Our attractive openings are suitable for doctoral candidates with very good grades who seek to graduate in the fields of hardware-oriented security or emerging circuit and system architectures.

The Institute offers you an inspiring working atmosphere in a successful international team. A substantial part of our research is conducted in cooperation with national and international partners from academic institutions in, among others, the USA, Japan, Israel, and France, and with our partners in the industry. In addition to research activities, we expect from you contributions to our teaching program, supervising of student theses and participation in administrative duties, such as organization of scientific conferences.

If interested, please send your comprehensive application including CV and copies of certificates and grades to the following email address: ilia.polian (at) informatik.uni-stuttgart.de

Closing date for applications: 1 December 2017

Contact: Prof. Dr. Ilia Polian

Institut für Technische Informatik

Pfaffenwaldring 47

D-70569 Stuttgart, Germany

ilia.polian (at) informatik.uni-stuttgart.de

More information: http://www.iti.uni-stuttgart.de/en/institute/available-jobs.html

The 38th annual International Cryptology Conference, Crypto 2018, will be held at the University of California, Santa Barbara (UCSB), August 19-23, 2018. It is one of the three flagship conferences of the International Association for Cryptologic Research (IACR).

IACR is soliciting for affiliated events to be held in conjunction with Crypto 2018 on Saturday, August 18, and/or Sunday, August 19. Each such event is expected to provide a forum discussing a specific topic of the broad cryptographic world (theory, practice, implementation, standardizations, etc.). The format of the event (e.g., workshop, tutorial, etc.) is up to the organizers.

Information on proposing an affiliated event can be found at: https://crypto.iacr.org/2018/callforworkshops.html.

We present a security reduction for the PAK protocol instantiated over Gap Diffie-Hellman Groups that is tighter than previously known reductions. We discuss the implications of our results for concrete security. Our proof is the first to show that the PAK protocol can provide meaningful security guarantees for values of the parameters typical in today's world.

We present Strain, a new auction protocol running on top of blockchains and guaranteeing bid confidentiality against fully-malicious parties. As our goal is efficiency and low blockchain latency, we abstain from using traditional, highly interactive MPC primitives such as garbled circuits. Instead for Strain, we design a new maliciously-secure two-party comparison mechanism executed between any pair of bids in parallel. Using zero-knowledge proofs, Strain broadcasts the outcome of comparisons on the blockchain in a way such that all parties can verify each outcome. While Strain leaks the order of bids, similar to OPE, its core technique of determining the auction's winner is very efficient and asymptotically optimal, requiring only 2 blockchain blocks latency. Strain also provides typical auction security requirements like non-retractable bids against fully-malicious adversaries. Finally, it protects against adversaries aborting the auction by reversible commitments.

Because of the properties such as transparency, decentralization, irreversibility, nonrepudiation, etc., blockchain is not only a fundamental technology of great interest in its own right, but also has large potential when integrated into many other areas. In this paper, based on the blockchain technology, we propose a decentralized e-voting protocol, without the existence of a trusted third party. Furthermore, we provide several possible extensions and improvements that meet the requirements in some specific voting scenarios.

In this paper, we consider one-round protocols for reliable message transmission (RMT) when $t$ out of $n=2t+1$ available channels are controlled by an adversary. We show impossibility of constructing such a protocol that achieves a transmission rate of less than $\Theta(n)$ for constant-size messages and arbitrary reliability parameter. In addition, we show how to improve two existing protocols for RMT to allow for either larger messages or reduced field sizes.

We introduce a new technique that allows to give a zero-knowledge proof that a committed vector has Hamming weight bounded by a given constant. The proof has unconditional soundness and is very compact: It has size independent of the length of the committed string, and for large fields, it has size corresponding to a constant number of commitments. We show five applications of the technique that play on a common theme, namely that our proof allows us to get malicious security at small overhead compared to semi-honest security: 1) actively secure k-out-of-n OT from black-box use of 1-out-of-2 OT, 2) separable accountable ring signatures, 3) more efficient preprocessing for the TinyTable secure two-party computation protocol, 4) mixing with public verifiability, and 5) PIR with security against a malicious client.

Threshold Implementation (TI) is one of the most widely used countermeasure for side channel attacks. Over the years several TI techniques have been proposed for randomizing cipher execution using different variations of secret-sharing and implementation techniques. For instance, direct-shares is the most straightforward implementation of the threshold countermeasure. But, its usage is limited due to its high area requirements, whereas, the 3-shares countermeasure for cubic non-linear functions significantly reduces area and complexity compared to direct-shares.

Nowadays, security of ciphers using a side channel countermeasure is of utmost importance. This is due to the wide range of security critical applications from smart cards, battery operated IOT devices to accelerated crypto-processors. Such applications have different requirements (higher speed, energy efficiency, low latency, small area etc.) and hence need different implementation techniques. This paper presents an in-depth analysis of the various ways in which TI can be implemented for a lightweight cipher. We chose GIFT for our analysis as it is currently the most energy-efficient lightweight cipher. We present nine different profiles using different implementation techniques and show that no single technique is good for all scenarios. For example, the direct-shares technique is good for high throughputs whereas 3-shares is suitable for constrained environments with less area and moderate throughput requirements. The techniques presented in the paper are also applicable to other blockciphers. For security evaluation, we performed CPA on the 3-shares technique as it has good area versus speed trade-off. Experiments using 3 million traces show that it is protected against first-order attacks.

Aerial drones are becoming an integral part of application domains such as package delivery, construction, monitoring and search/rescue operations. It is critical to ensure the cyber-security of networked aerial drone systems in these applications. Standard cryptographic services can be deployed to provide basic security services; however, they have been shown to be highly energy costly for small aerial drones. Therefore, there is a significant need for a highly energy efficient cryptographic framework that can meet the requirements of small aerial drones.

In this paper, {\em we propose a new cryptographic framework for small aerial drones, which offers significant energy efficiency and speed advantages over standard cryptographic techniques}: (i) We create (to the best of our knowledge), the first highly optimized public key infrastructure (PKI) based framework for small aerial drones, which provides energy efficient digital signature and public key encryption techniques by harnessing special pre-computation methods and optimized elliptic curves. (ii) We also integrate some of the most recent light-weight symmetric primitives into our PKI techniques to provide a full-fledged cryptographic framework. (iii) We implemented standard counterparts and our proposed techniques on an actual small aerial drone (Crazyflie 2.0), and provided an in-depth energy consumption analysis. Our experiments showed that {\em our new cryptographic framework achieves up to 35$\times$ lower energy consumption than its standard counterpart}. To the best of our knowledge, this is the first realization of an ultra-light cryptographic framework targeting small aerial drones. We make our framework open-source for public testing and adaptation purposes.

The increasing use of machine learning algorithms to deal with large amount of data and the expertise required by these algorithms lead users to outsource machine learning services. This raises a trust issue about their result when executed in an untrusted environment. Verifiable computing (VC) tackles this issue and provides computational integrity for an outsourced computation, although the bottleneck of state of the art VC protocols is the prover time. In this paper, we design a VC protocol tailored to verify a sequence of operations for which existing VC schemes do not perform well on \emph{all} the operations. We thus suggest a technique to compose several specialized and efficient VC schemes with Parno et al.'s general purpose VC protocol Pinocchio, by integrating the verification of the proofs generated by these specialized schemes as a function that is part of the sequence of operations verified using Pinocchio. The resulting scheme keeps Pinocchio's property while being more efficient for the prover. Our scheme relies on the underlying cryptographic assumptions of the composed protocols for correctness and soundness.

Code-based Cryptography is one of the main areas of interest for the Post-Quantum Cryptography Standardization call. In this paper, we introduce DAGS, a Key Encapsulation Mechanism (KEM) based on Quasi-Dyadic Generalized Srivastava codes. The scheme is proved to be IND-CCA secure in both Random Oracle Model and Quantum Random Oracle Model. We believe that DAGS will offer competitive performance, especially when compared with other existing code-based schemes, and represent a valid candidate for post-quantum standardization.

In this paper we formulate a SAT/SMT model for Rotational-XOR (RX) cryptanalysis in ARX primitives for the first time. The model is successfully applied to the block cipher family Speck, and distinguishers covering more rounds than previously are found, as well as RX-characteristics requiring less data to detect. In particular, we present distinguishers for 10, 11 and 12 rounds for Speck32/64 which have better probabilities than the previously known 9-round differential characteristic, for a certain weak key class. For versions of Speck48, we present several distinguishers, among which the longest one covering 15 rounds, while the previously best differential characteristic only covered 11.

Participatory or crowd-sensing applications process sensory data contributed by users and transform them to simple visualizations (such as for example noise or pollution levels) that help create an accurate representation of the surrounding environment. Although contributed data is of great interest to individuals, the involvement of citizens and community groups, however, is still limited. Hence, incentivizing users to increase participation seems crucial for the success of participatory sensing.

In this paper, we develop a privacy-preserving rewarding scheme which allows campaign administrators to reward users for the data they contribute. Our system of anonymous tokens allow users to enjoy the benefits of participation while at the same time ensuring their anonymity. Moreover, rewards can be accumulated together thus further increasing the level of privacy offered by the system. Our proposal is coupled with a security analysis showing the privacy-preserving character of the system along with an efficiency analysis demonstrating the feasibility of our approach in realistic deployment settings.

The robustness of (approximate) differential privacy (DP) guarantees in the presence of thousands and even hundreds of thousands observations is crucial for many realistic application scenarios, such as anonymous communication systems, privacy-enhancing DB queries, or privacy-enhancing ML methods. Composition theorems capture DP under repeated observations, but previous work provides untight bounds, which can tremendously amplify after hundreds of thousands of compositions.

This work improves on previous work by providing upper and lower bounds for approximate DP, which enables us to quantify how untight our upper bound is. We introduce a numerical method and an implementation for computing provable upper and lower bounds for approximate DP for a given number of observations. In contrast to previous work, our bucketing method retains the shape of the distributions which enables us to compute tighter bounds. We show that, while previous work seems to be tight for the Laplace mechanism on statistical queries, our work is significantly tighter for other scenarios, such as the Gaussian mechanism on statistical queries or for real-world timing leakage data. We show that it is worth to conduct a tight privacy analysis by improving, as a case study, the privacy analysis of the anonymous communication system Vuvuzela. We show that for the same privacy target as in the original Vuvuzela paper, 5 to 10 times less noise already suffices, which significantly reduces Vuvuzela's overall bandwidth requirement.

It is well-known that a program's memory access pattern can leak information about its input. To thwart such leakage, most existing works adopt the solution of oblivious RAM (ORAM) simulation. Such a notion has stimulated much debate. Some have argued that the notion of ORAM is too strong, and suffers from a logarithmic lower bound on simulation overhead. Despite encouraging progress in designing efficient ORAM algorithms, it would nonetheless be desirable to avoid the oblivious simulation overhead. Others have argued that obliviousness, without protection of length-leakage, is too weak, and have demonstrated examples where entire databases can be reconstructed merely from length-leakage.

Inspired by the elegant notion of differential privacy, we initiate the study of a new notion of access pattern privacy, which we call ``$(\epsilon, \delta)$-differential obliviousness''. We separate the notion of $(\epsilon, \delta)$-differential obliviousness from classical obliviousness by considering several fundamental algorithmic abstractions including sorting small-length keys, merging two sorted lists, and range query data structures (akin to binary search trees). We show that by adopting differential obliviousness with reasonable choices of $\epsilon$ and $\delta$, not only can one circumvent several impossibilities pertaining to the classical obliviousness notion, but also in several cases, obtain meaningful privacy with little overhead relative to the non-private baselines (i.e., having privacy ``almost for free''). On the other hand, we show that for very demanding choices of $\epsilon$ and $\delta$, the same lower bounds for oblivious algorithms would be preserved for $(\epsilon, \delta)$-differential obliviousness.

Hierarchical secret sharing schemes distribute a message to a set of shareholders with different reconstruction capabilities. In distributed storage systems, this is an important property because it allows to grant more reconstruction capability to better performing storage servers and vice versa. In particular, Tassa's conjunctive and disjunctive hierarchical secret sharing schemes are based on Birkhoff interpolation and perform equally well as Shamir's threshold secret sharing scheme. Thus, they are promising candidates for distributed storage systems. A key requirement is the possibility to perform function evaluations over shared data. However, practical algorithms supporting this have not been provided yet with respect to hierarchical secret sharing schemes. Aiming at closing this gap, in this work, we show how additions and multiplications of shares can be practically computed using Tassa's conjunctive and disjunctive hierarchical secret sharing schemes. Furthermore, we provide auditing procedures for operations on messages shared hierarchically, which allow to verify that functions on the shares have been performed correctly. We close this work with an evaluation of the correctness, security, and efficiency of the protocols we propose.